[ale] Samba setup

Michael Trausch fd0man at gmail.com
Fri Aug 5 10:01:24 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Wright wrote:
> 
>> Using Ubuntu...
>> here is the machine account script that SAMBA had as default in smb.conf
> 
>> add machine script = /usr/sbin/useradd -s /bin/false \-d /dev/null %u
> 

You can do that, too, I think, but I'd test it by hand first to make
sure that everything works before enabling that.  What I typically do
after I have the settings downpat is create a new script "adduser" that
will add the user to Samba and the UNIX password file at the same time.
 This gives the user flexibility to maintain seperate Windows Domain and
UNIX passwords if they choose to so.

Something that I'd missed in my earlier read:  The "unable to lock
password file" error.  It is possible that something happened that
prevented useradd or something else (such as passwd) from unlocking the
file when it was done.  Locks are done differently depending on the
back-end authentication system that you're using, such as PAM or
something else, but you can try looking for a /etc/passwd.lock or
/etc/shadow.lock file and if they exist, try doing a grep through the
process list for any hung utility that would manipulate those files
(passwd, useradd, chsh, or anything similar).  I'm not sure what
particular set of items are used in Ubuntu or it's parent distribution,
so I can only offer that generic help on that.  Sorry that I missed that
earlier.

> 
>> Not sure what you are recommending.  The user definitions at the end of
>> the testparm output were created by the SAMBA scripts.  Is this
>> redundant with the [homes] section "on"? 
> 

Yes, the [homes] section is the one that Windows will wind up mounting
as the user's "home directory".  You can then set Windows to point
things such as My Documents to that directory -- which will make their
Windows profile smaller, because otherwise, "My Documents" is contained
*within* the user's roaming profile and not just on their netdrive.
Since Z:\ is mounted at logon, and it is unmounted after the profile is
no longer in use (e.g., at logout), it creates a lot of network
bandwidth usage if you keep everything in %USERPROFILE%\My Documents
instead of something like Z:\My Documents.

I suspect that there is a setting on the Windows master registry for
this, but if there isn't you can have it included to be set by your
network login script.  (For example, mount a read-only temporary drive
on Y: or something where you'd pull registry hives to be imported into
the user registry at every logon - this is a "catch all" situation so
that the user doesn't need to do any work and it will work with your new
users, too.)

> 
>> I will do this when I get the domain authentication working.  I am going
>> to recommend a backup strategy that uses external drives as the shared
>> data folders.
>> I am thinking that one firewire drive could be the shared folder and I
>> could use rsync to copy it to a second drive that could be removed to a
>> secure location.  With three spare 
>> drives this could provide off site disk backup of their data each week. 
> 
> Lastly, I would recommend that you upgrade this setup to Samba 3 -- it
> has more up-to-date support for systems on the network, and as your
> userbase there migrates upward towards Windows XP, you won't have any
> issues with the Samba server running 3.0.  It does a great job.
> 
>> It is SAMBA 3
> 

I think I was looking at some stuff earlier in the day yesterday that
was Samba 2.x.x related and for some reason I had confused that with
something I thought I read in here.  Whoops.  :-)

So far, I can't complain about it's usage as a domain controller on this
network.  It is just a home network, but I've seen setups like this work
in larger environments, too.  It's just a matter of tweaking everything
to be just right -- and once it's done, it's pretty much done.

	- Mike

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC83E0PXInbkqM7nwRAmrSAJ9QT/tKMSDIiFjBuhvD39QauzFiIwCgnMpS
G5X847vbTPeUxRyvgKM6qOs=
=J55d
-----END PGP SIGNATURE-----

More information about the Ale mailing list